The guidance, aimed at board directors, particularly audit committee members, as well as executive management and cyber practitioners, discusses how companies can apply COSO’s Enterprise Risk Management–Integrating with Strategy and Performance (ERM Framework), a widely used risk management framework, to protect organizations against cyberattacks. The guidance explains how organizations can leverage the five components and 20 principles of the ERM Framework to manage cyber risks.

COSO’s ERM Framework was updated in 2017 to spotlight the importance of applying ERM throughout an organization, particularly in strategic planning. One of the main drivers behind the 2017 update was to address the need for organizations to improve their approach in managing cyber risks. The new guidance aims to provide context on the fundamental concepts of cyber risk management to help organizations leverage their existing technical cybersecurity frameworks.

“As cyber threats increase in number, complexity, and destructiveness, organizations face a greater risk in achieving their strategic objectives,” said COSO Chair Paul Sobel (pictured) in a statement last week. “COSO’s ERM Framework provides a foundation upon which a cybersecurity program can be built, integrating cyber risk management concepts with elements of strategy, business objectives, and performance, which can result in increased business value.”

The quickly evolving array of cyber threats makes it important for corporate boards to ramp up their cyber defenses so they can effectively evaluate how well the risks are being addressed. “For nearly half of responding organizations (49 percent), cybersecurity is on the board’s agenda, at least quarterly, according to Deloitte’s 2019 Future of Cyber Survey.”[i] It is crucial that boards develop cyber security expertise themselves or identify advisors who have the appropriate skills.

“C-suite leaders and board members need to stay committed to a more active and involved role in guiding their company’s cybersecurity strategy, and regulators are starting to require it. The pervasiveness of cyber will continue, as will the complexity and severity of the adversaries’ threats,” said Mary Galligan, managing director in cyber risk services at Deloitte & Touche LLP, in a statement. “Boards will need the right skill sets for proactively addressing technology, data and privacy issues to help those organizations thrive in the future. But thinking behind major initiatives like the ERM Framework can help organizational leaders continually evolve their understanding of cyber risks, so that they can make strategic decisions with cyber risk always in mind. A business-as-usual approach to cyber risk management is bound to result in catastrophic damage.”